ui: login page — SSO button + oidc_error banner

internal/server/http/ui_handlers.go

@@ -922,7 +922,14 @@ func (s *Server) handleUILoginGet(w stdhttp.ResponseWriter, r *stdhttp.Request)
 		stdhttp.Redirect(w, r, "/", stdhttp.StatusSeeOther)
 		return
 	}
-	view := ui.ViewData{Version: s.version()}
+	view := ui.ViewData{
+		Version:   s.version(),
+		OIDCError: r.URL.Query().Get("oidc_error"),
+	}
+	if s.deps.OIDC != nil {
+		view.OIDCEnabled = true
+		view.OIDCDisplayName = s.deps.OIDC.DisplayName()
+	}
 	if err := s.deps.UI.Render(w, "login", view); err != nil {
 		slog.Error("ui: render login", "err", err)
 		stdhttp.Error(w, "internal", stdhttp.StatusInternalServerError)
@@ -948,6 +955,10 @@ func (s *Server) handleUILoginPost(w stdhttp.ResponseWriter, r *stdhttp.Request)
 			Username: username,
 			Error:    "Invalid username or password.",
 		}
+		if s.deps.OIDC != nil {
+			view.OIDCEnabled = true
+			view.OIDCDisplayName = s.deps.OIDC.DisplayName()
+		}
 		w.WriteHeader(stdhttp.StatusUnauthorized)
 		if err := s.deps.UI.Render(w, "login", view); err != nil {
 			slog.Error("ui: render login (post-fail)", "err", err)

internal/server/ui/ui.go

@@ -56,6 +56,19 @@ type ViewData struct {
 	// today; other pages can adopt the same field.
 	Error string
 
+	// OIDCEnabled is true when the server has an OIDC provider
+	// configured. The login page uses it to show the SSO button.
+	OIDCEnabled bool
+
+	// OIDCDisplayName is the human-readable label for the OIDC
+	// provider (e.g. "Authelia"). Shown on the SSO button.
+	OIDCDisplayName string
+
+	// OIDCError holds an error code returned via ?oidc_error=… after
+	// a failed OIDC callback. The login page maps it to a user-facing
+	// message.
+	OIDCError string
+
 	// Page carries page-specific data. Concrete type is the page's
 	// own struct.
 	Page any